HTTPS certificate – issues

VitalPBX Community Support General Discussion HTTPS certificate – issues

  • Post
    toxicfusion
    Participant

    Hello,

    When configuring VitalPBX to use LetsEncrypt certificate,  doesn’t appear to work properly?  Still get SSL error when navigating to portal.  Also the info is wrong.

    I manually created a SSL cert using certbot (letsencrypt) then created a symbolic link to the letsencrypt cert and linked to to appropriate directory; so my vitalpbx.conf httpd file does not point to certs in /etc/.. for security reasons.  I manually modified the /etc/httpd/conf../vitalpbx.conf to have the .pem file location.  works beautifully.

     

    However, any updates or modifications made to HTTP settings or firewall settings with VitalPBX webUI,  it recreates the httpd.conf file and It breaks HTTPD (fails to start because certs not found). So I have to manually edit the config again, or copy back the known good.

    There a workaround for this? 

     

    Also when using SSL –  the dashboard is blank.   Is this a Firefox/Safari issue?

    0
Viewing 8 replies - 1 through 8 (of 8 total)
  • Replies
    Up
    0
    Down

    We have our demo server with Let’s encrypt (https://demo.vitalpbx.org/), the certificate was generated from the GUI without any issue.

    You may check if the certificates folder under /usr/share/ombutel has been created with the right owner, group and permissions.

    Permissions: 2755

    Owner and Group: apache

     

    0
    toxicfusion
    Participant
    Up
    0
    Down

    Gotcha, I’ll give this another try!

    0
    toxicfusion
    Participant
    Up
    0
    Down

    This is what happens when I try to use the built in LetsEncrypt certificate…  I create it within

    Admin >> Sys. Settings >> Certificates >> Lets Encrypt… save…

    Admin >>> HTTP server >> Select cert,  Save

    and then I try and restart the httpd service. FAILS.    The bundle.pem is empty.

    This is 100% why I manually did certbot and created own cert files and created symbolic links.  But the vitalpbx.conf httpd file gets over written everytime there is changes. So as long as I dont have to bounce the httpd service, webUI works.

    systemctl status httpd
    ● httpd.service – The Apache HTTP Server
    Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled)
    Active: failed (Result: exit-code) since Wed 2018-10-10 08:57:19 EDT; 14s ago
    Docs: man:httpd(8)
    man:apachectl(8)
    Main PID: 19298 (code=exited, status=1/FAILURE)

    Oct 10 08:57:19 sip-host.mydomain.com systemd[1]: httpd.service failed.
    Oct 10 08:57:19 sip-host.mydomain.com systemd[1]: Starting The Apache HTTP Server…
    Oct 10 08:57:19 sip-host.mydomain.com httpd[19298]: AH00526: Syntax error on line 26 of /etc/httpd/conf.d/vitalpbx.conf:
    Oct 10 08:57:19 sip-host.mydomain.com httpd[19298]: SSLCertificateFile: file ‘/usr/share/ombutel/certificates/sip-host.mydomain.com/bundle.pem’ does not exist or is empty
    Oct 10 08:57:19 sip-host.mydomain.com systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
    Oct 10 08:57:19 sip-host.mydomain.com kill[19299]: kill: cannot find process “”
    Oct 10 08:57:19 sip-host.mydomain.com systemd[1]: httpd.service: control process exited, code=exited status=1
    Oct 10 08:57:19 sip-host.mydomain.com systemd[1]: Failed to start The Apache HTTP Server.
    Oct 10 08:57:19 sip-host.mydomain.com systemd[1]: Unit httpd.service entered failed state.
    Oct 10 08:57:19 sip-host.mydomain.com systemd[1]: httpd.service failed.

    0
    toxicfusion
    Participant
    Up
    0
    Down

    UPDATE:

    I recreated the symbolic links to be 1:1 match with what the /etc/httpd/conf.d/vitalpbx.conf file has specified.   This fixed the httpd restart issue. However, I did uncover a bug

     

    BUG report:

    When using SSL Certicate, any method AND when the HTTP server port is changed from default :80 to ANY other web port.  The Dashboard breaks and does not display stats.  Soon as I change the system settings back to port :80 for HTTP;   the dashboard works fine.

    Can there be a fix for this? As I do NOT like to use :80 for HTTP on PBX server.   When navigating to the HTTP site address, everything works fine.  However, when another HTTP port is define,  the HTTP(S) dashboard is broken.   This also breaks switchboard & fop2

     

    0
    Up
    0
    Down

    What is the output of 

    ll /usr/share/ombutel/certificates/

    What is the expiration date showed up in the web ui?

    0
    toxicfusion
    Participant
    Up
    0
    Down

    Well, I have my /etc/letsencrypt/live/domain/.pem  files symbolic linked to proper files within /usr/share/ombutel/certificates/  in order to fix the SSL issue

    now, Within the webUI, when I select the LetsEnctypt cert I created:

    1969-12-31
     
    ####
    note: i’ve modified output for security.
     
    ll /usr/share/ombutel/certificates/
    total 40
    drwx–S— 2 apache apache 4096 Sep 25 23:14 _account
    -rw-r–r– 1 apache apache 164 Sep 26 16:28 ca.cfg
    -rwxr-xr-x 1 apache apache 1720 Sep 26 16:28 ca.crt
    -rwxr-xr-x 1 apache apache 3243 Sep 26 16:28 ca.key
    drwxr-sr-x 2 root apache 4096 Oct 10 09:09 sip-host.domain.com
    -rw-r–r– 1 apache apache 244 Sep 26 16:30 sip-host.domain..com.cfg
    -rwxr-xr-x 1 apache apache 1346 Sep 26 16:30 sip-host.domain.com.crt
    -rwxr-xr-x 1 apache apache 725 Sep 26 16:30 sip-host.domain.com.csr
    -rwxr-xr-x 1 apache apache 891 Sep 26 16:30 sip-host.domain.com.key
    -rwxr-xr-x 1 apache apache 2237 Sep 26 16:30 sip-host.domain.com.pem
    0
    toxicfusion
    Participant
    Up
    0
    Down

    Ok – appears I’ve resolved my issue with HTTPS certificate.  Although, the internal webUI driven LetsEncrypt still not working. But was able to use my own generated certbot/letsencrypt and the dashboard is working along with everything else

    I just had to do a 1:1 map of filenames to match what is exactly in the /etc/httpd/conf.d/vitalpbx.conf file.   

    so my symbolic links from the letsencrypt .pem files are same as what is called for within the vitalpbx.conf file…    all is good and survives httpd restarts.

    0
    Up
    0
    Down

    To check why the let’s encrypt is not working from the GUI, you may check the logs filers under: /var/log/vitalpbx/

    Also you may check:

    • If the www folder under /usr/share/ombutel has apache as owner and group
    • Check if the www folder has the right permissions (755)
    stat -c "%a %n" /usr/share/ombutel/www/
    0
Viewing 8 replies - 1 through 8 (of 8 total)
  • You must be logged in to reply to this topic.